Cryptography-Digest Digest #930, Volume #9 Fri, 23 Jul 99 17:13:03 EDT
Contents:
Re: What the hell is XOR? (John Myre)
Mush generator ([EMAIL PROTECTED])
Re: How Big is a Byte? (was: New Encryption Product!) (Brian Inglis)
Implementations of Rivest's "Chaffing and Winnowing"? ([EMAIL PROTECTED])
Re: Cluelessness Alert? I'm Not So Sure. (latest Crypto-Gram) (Roger Carbol)
Re: hush mail (Anton Stiglic)
Re: Q: Interaction of cross-posted follow-ups? (Vernon Schryver)
Re: How Big is a Byte? (Ian Stirling)
Re: hush mail ([EMAIL PROTECTED])
Re: publuc key (Anton Stiglic)
Re: Storing encrypted passwords (Anton Stiglic)
Re: Kryptos Beginning of publicatio of solution (JPeschel)
Re: Traffic Analysis (Roger Carbol)
Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH?
([EMAIL PROTECTED])
Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH? (David A Molnar)
Re: RSA public key (David A Molnar)
Re: Steganos II Security Suite released ("Roger Schlafly")
Re: What the hell is XOR? ("karl malbrain")
----------------------------------------------------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: What the hell is XOR?
Date: Fri, 23 Jul 1999 09:05:05 -0600
Spud wrote:
>
> I was reading "Applied Cryptography" by Bruce Schneier and I really don't
> get the XOR function. Help, please! Thanks.
>
> PS -- I'm not a computer newbie so you don't have to dilute any
> explainations with "easy words".
I guess I'm old now. I never thought I'd see the day when
someone who is "not a computer newbie" doesn't already know
what XOR is. I suppose this evidence of the sophistication
of the virtual machine is good...
John M.
------------------------------
From: [EMAIL PROTECTED]
Subject: Mush generator
Date: Fri, 23 Jul 1999 14:26:56 GMT
Where can I find either the shrinking generator (Crypto 93) or the
mutual shrinking generator (dunno?)?
I could get the references from AC if anyone needs... I have looked
around and I haven't found anything. I haven't found a website for Don
Coppersmith either...
Thanks for any help.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Free PRNG C++ lib:
'http://mypage.goplay.com/tomstdenis/prng.html'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Brian Inglis)
Crossposted-To: alt.folklore.computers
Subject: Re: How Big is a Byte? (was: New Encryption Product!)
Date: Fri, 23 Jul 1999 14:51:59 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 22 Jul 1999 18:34:47 GMT, [EMAIL PROTECTED] (STD
DIALUP) wrote:
>The proper size of a byte really should be the width of the processor's
>data bus. Thus, 6502 is eight bytes, 80286 is sixteen bytes & the 386,486
>is 32 bytes.
The name for that unit is a *word*!
IMHO, the byte should probably be defined as the /normal/ fixed
storage unit size used in addresses, if that is larger than a bit
and smaller than a word.
Thus, you may have bit-, byte- and word-addressable machine
architectures, or ~-addressing instructions.
If there are optional address unit sizes, then the machine could
be said to have variable byte size.
Any other exceptions anyone can think of?
Thanks. Take care, Brian Inglis Calgary, Alberta, Canada
--
[EMAIL PROTECTED] (Brian dot Inglis at SystematicSw dot ab dot ca)
use address above to reply
------------------------------
From: [EMAIL PROTECTED]
Subject: Implementations of Rivest's "Chaffing and Winnowing"?
Date: Fri, 23 Jul 1999 15:36:17 GMT
Hello,
I have written some software that implements Rivest's "Chaffing and
Winnowing" idea to perform file encryption, and I'm wondering if there
is other software that does the same. Does anybody have any pointers?
Quite Sincerely,
Seth Scali
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
Subject: Re: Cluelessness Alert? I'm Not So Sure. (latest Crypto-Gram)
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Mon, 19 Jul 1999 17:52:25 GMT
John Savard <[EMAIL PROTECTED]> wrote:
> So while it is true there is a way for the military to stay on-line
> and maintain security, it is also true that that is not immediately
> available.
You seem to imply that being online necessarily includes being
part of the Internet, which is of course false.
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,alt.privacy,alt.security.keydist
Subject: Re: hush mail
Date: Fri, 23 Jul 1999 10:47:10 -0400
> Some stuff I don't like about Hushmail:
(this comes from reading their technical description)
1a. The New Account Java Applet is transferred to the cliend machine
via an SSL connection
[....] (with 1024 bit public/private keypair).
O.k., this step is good, we have a 1024 bit public/private key SSL
connection.
4a. The user creates any passphrase they wish. The strenght of the
system directly correlates
to how hard it would be to guess or brute force this
passphrase.
This statement is missleading... I'll follow up on this latter
5a. Using a 128 bit key, derived from the user passphrase, the
Blowfish symmetric algorithm
is applied to the users plaintext private key, generating an
encrypted private key.
This encrypted key is then sent to HushMail's Data Base. So your private
key is encrypted using
128 bit Blowfish. 128 bit is equivalent to 16 ASCII caracters, it's a bit
better then an 8 ASCII
caracter password on UNIX, but still.... HushMail could potentially start
a cracking algo, trying
brute force attack on all the encrypted private keys stored on their Data
Base and surely come
up with a couple of private keys in a month.
6a. A secure one-way hash of the users passphrase (using SHA) is
also partially sent to the
HushMail server, for validation of the user at a later
date.
This is why I said 4a is missleading. I don't like this way of
authenticating at all. Why not just use
a sort of DES like password authentification used on UNIX.
I don't understand why they just use a part of a hash. Authenticating
yourself as someone else no
longer comes down to just guessing the passphrase (or generated 16 caracter
password), but simply
guessing the partial hash of it, this is surely less secure, even if SHA
would happen to have strong
collision resistance (wich it most probably does not have...).
Thats my humble opinion :)
Anton
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: Q: Interaction of cross-posted follow-ups?
Date: 23 Jul 1999 08:44:40 -0600
In article <7n9a5h$j4h$[EMAIL PROTECTED]>, Thomas Pornin <[EMAIL PROTECTED]> wrote:
>According to <[EMAIL PROTECTED]>:
> ...
>Usenet uses no crypto. It is not authentified. Making Usenet more secure
>is indeed a true cryptographic challenge. It would require a careful
>design, by someone aware of both public-key cryptography and Usenet
>mechanisms. I will try it sometime (not now: too much work).
It's already been done in the main hierarchy for the only Usenet messages
that matter even a little. For the last year or three, the messages that
create and delete newsgroups are signed and their signatures are checked
by most systems, because their abuse got to be such a hassle. Look for
`pgpverify` in the nearest system running innd.
That mechanism could be extended to improve cancelling or posting for
moderators in the main hierarchy, but no one seems to care enough.
It's all only netnews.
--
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: Ian Stirling <[EMAIL PROTECTED]>
Crossposted-To: alt.folklore.computers
Subject: Re: How Big is a Byte?
Date: Fri, 23 Jul 1999 17:09:30 GMT
In alt.folklore.computers wtshaw <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>, Ian
>Stirling <[EMAIL PROTECTED]> wrote:
>>
>> Hence, in base 1, the number
>> "11111" is equal to 5, "111 11" is also equal to 5, as is "111011"
>11111 is not a base 1 number, but it is equal to 63 in base 2, of course.
>Marks, tallys, strokes, all imply a + between each pair of adjacent figures.
But in base 1, there is a + between figures.
A number abc in base n has the value a*n^3 + b*n^2 + c*n^1
For base 1, this is just a+b+c
Am I missing something?
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,alt.privacy,alt.security.keydist
Subject: Re: hush mail
Date: Fri, 23 Jul 1999 14:39:23 -0400
> What? Wasted computing? False security?
> Those work in favour of other services.
No no no. You would have to agree that this is more secure than say Hotmail.
In either case, I use PGP to encrypt ALL e-mail no matter if I'm sending it to
another hushmail user encrypted. Even if they break Hushmail, they'd still
have to break PGP. I don't see any problem using hushmail IF you realize that
you still need to use pgp.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: publuc key
Date: Fri, 23 Jul 1999 14:47:26 -0400
John Xiao wrote:
> Can anyone show me a sample of public key?
> I know how the key works conceptually, but just can't get into detail.
> Thanks.
This is a sample of a public key:
C9EF41ADE1BBD3251BD105ED13A386A840A0906D47027FA3E3B0CF261DF8EDBA0DA812C8AAE5F76A10DF9EB402ED128B640CD94310D313F52C8E80AC7B6A23BE28991469F100EBD7BAC07ED4CEB7E88DACE9C3D53219A59B8D7F2D7E7F4882B0600BD5A8F7BB5EE3E3D11EADA98B7D42FF8F2D356A384B584CDB37234309103BAE14DF5AD600B4D992EA87D2CE34AE4682FF8DDE677B6605C3938D5F9BAC0B68DDECD767D7DF3430D2582E0AEBB5037F1919DB5F995384404984F532873E5BB3B3A1284B558B8B64FE908490BC02BF82FBA01B12FBA9BB8688E44B20895D31C07016844D669700DB52467AFE2EB3D8AC1A182161A5A91D1DEE61A5C5EC16A3A4
;)
Anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Storing encrypted passwords
Date: Fri, 23 Jul 1999 14:50:43 -0400
Dmitri Alperovitch wrote:
> >I develop commercial software, but I know
> >very little about encryption. I need to
> >provide ftp services within my App, and I would
> >like to store login information in a secure
> >fashion. The following criteria is absolutely
> >necessary:
> >[1] Adhere to US export laws.
> >[2] Do not violate patents/copyrights.
> >[3] Still provide reasonable security.
The only solution is to use a user provided password as an encryption
key, and make sure he logs on
using ssh. But I'm not sure I understand your situation, can you
elaborate?
Anton
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Kryptos Beginning of publicatio of solution
Date: 23 Jul 1999 19:14:22 GMT
>collomb" <[EMAIL PROTECTED]> writes a whole bunch of stuff that I snipped:
>To have a general view of this work, please go to my web site�:
>http://calvaweb.calvacom.fr/collomb/
>
>The decoding of KRYPTOS step by step
>
>First step
>
>The text of KRYPTOS comprises 4 sentences which end by a question mark ?...
With a bit more hard work and perseverence you should soon
be able to see the real final message. It is, as you suspected,
an image! Predicted by Nostradamus, Hanna, and Barbara,
the image clearly shows Wiley Coyote finally besting Roadrunner.
Beep, beep!
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
Subject: Re: Traffic Analysis
From: Roger Carbol <[EMAIL PROTECTED]>
Date: Mon, 19 Jul 1999 19:28:25 GMT
John Savard <[EMAIL PROTECTED]> wrote:
>I doubt the "Black Hats", if you mean the eavesdroppers, are
>neglecting it. But they are the less talkative ones...
What I meant was that the literature on breaking crypto seem to
gloss over the subject, if they mention it at all.
Counter-examples are more than welcome.
.. Roger Carbol .. [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH?
Date: Fri, 23 Jul 1999 18:47:35 GMT
Anton Stiglic wrote:
> Anyways, if you are
> looking for a prime of the form p = 2q + 1, you start by computing q.
[...]
> You then just test if p is in fact
prime or
> not,
> this does not take much time (example, Miller Rabin prob. test
algorithme
> 4.24 in the Big Green book (Menezes, Oorschot, Vanstone)).
> It is efficient, the probability of error reduces exponentialy with
the
> number
> of rounds you execute the algo.
I have to disagree. The following procedure
constructs p = 2q + 1 where p and q are prime
much faster.
First, choose the range to search for p and q.
Sieve out small prime factors from both the p
range and q range. This way we only do further
tests when we know that neither p nor q will
have a small factor.
To test a candidate that passes the sieve, do one
iteration of a Fermat test on q with a base of 2.
If it passes, do a base-2 Fermat test on p.
Finally, do the iterated Miller-Rabin tests on q
and p.
Note that constructing prime p where (p-1)/(2r) is
also prime and r is not large is much faster. We
find prime q, then search for r where p = 2rq + 1
is also prime. Using this form, once we find a
prime q we never have to reject it.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Q: Does ElGamal require that (p-1)/2 is also prime like DH?
Date: 23 Jul 1999 19:46:52 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
> anyways it is what is used). You then just test if p is in fact prime or
> not,
> this does not take much time (example, Miller Rabin prob. test algorithme
> 4.24 in the Big Green book (Menezes, Oorschot, Vanstone)).
> It is efficient, the probability of error reduces exponentialy with the
> number
> of rounds you execute the algo.
This reminds me -- what do you think of the " construction of provable
primes" algorithm due to Maurer in that book?
Thanks,
-David Molnar
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RSA public key
Date: 23 Jul 1999 19:43:08 GMT
Vincent <[EMAIL PROTECTED]> wrote:
> Thomas Pornin wrote in message <7n9fi0$oau$[EMAIL PROTECTED]>...
>>According to <[EMAIL PROTECTED]>:
>>> How would you guess the message?
>>
>>By the Chinese Reminder Theorem: if the three public modulus are n1, n2
>>and n3, you know m^3 modulo n1, n2 and n3. These three public modulus
>>are relatively prime with eachother (if not, you can factorize at least
>>two of them, which then gives access to the message)
> How do you know they are relatively prime with each other?
> I think they could share a GCD>1 without (this GCD) being prime, isn't it?
> My mathematic abilities are limited, so what do you think?
It's not really that the moduli must be relatively prime. It's just that
if they are not, the scheme tends to break horribly. So most people
implementing RSA take steps to prevent that from happening.
These are RSA moduli, of the form N = p * q . Normally p and q are
supposed to be primes. So you have
n1 = p_1 * q_1
n2 = p_2 * q_2
n3 = p_3 * q_3
Now if all the ps and qs really are prime, then all the ns are relatively
prime. The gcd between any two of them is 1. Now let's take n1 and n2 as
examples of what could go wrong. n1 and n3, or n2 and n3 would work, too.
Say we screwed up prime generation, and p_2 is a multiple of p_1,
where p_1 is still a prime. When we take the gcd of n1 and n2, we'll get
p_1. Now we know :
* q_1 must be n1 / p_1
* We have p_1 = gcd(n1, n2). So now we have the factorization of
n1 and can get the message by computing the private key for n1.
* We also know that n2 = (some multiple k of p_1) * q_2 . So we
can get this k*q_2 by dividing n2 by p_1. If k is small (like 2 or
3), then we get q_2. It's not clear to me what happens if k is
very big.
Your question is "can n1 and n2 have a GCD > 1 without the GCD being
prime?" Well, how would that happen?
In general, it is possible to have the GCD of two numbers not be a prime.
I think of numbers as sets of their prime factors. So for example,
27 = {3 * 3 * 3}
30 = {2 * 3 * 5}
The GCD of 27 and 30 is the set containing 1 of each factor they have in
common. Here that's {3}. What if we multiply 27 by 2 ? We get
54 = {2 * 3 * 3}
30 = {2 * 3 * 5}
and the GCD is {2 * 3}, or 6.
So it looks like if two numbers have a non-prime GCD, then they share
more than one prime factor.
For normal RSA moduli, each modulus has only two factors.
n1 = {p_1 * q_1}
n2 = {p_2 * q_2}
If the moduli are not relatively prime, then at least one of these
factors is not prime. What is more, that factor *must* include at least
one prime factor from the other modulus. So for the case discussed above,
where p_2 is a multiple "k" of p_1, we have
n1 = {p_1 * q_1}
n2 = {k * p_1 * q_2}
gcd(n1, n2) = {p_1}
Now to get a gcd with more than one prime factor in it, it seems that we
could say that n1 is a multiple "k" of n2 :
n1 = {k * p_2 * q_2}
n2 = {p_2 * q_2}
gcd(n1, n2) = {k} k not necessarily prime?
I don't see how that helps us recover a message encrypted with n1 as he
modulus (probably missing something).
Another case could be if you were trying to use RSA with moduli which
consisted of several distinct primes, not just two. Then you could have a
gcd which was the product of any primes the two moduli had in common. I
think dividing by that gcd would just reduce the problem to factoring
the product of the remaining primes, assuming no evil problems creep in
from using more than 2 primes.
-David Molnar
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: Steganos II Security Suite released
Date: Fri, 23 Jul 1999 12:45:51 -0700
Fabian Hansmann wrote in message
<7n9q8j$ml0$[EMAIL PROTECTED]>...
>the software company DEMCOM released Steganos II Security Suite
>for Windows 95, 98, 2000 and NT today. This is the long-awaited
>successor to Steganos for Windows 1.5.
>...
>An unrestricted 30 days trial version can be downloaded from
>http://www.steganography.com/english/steganos. A German version is
>available at http://www.steganography.com/deutsch/steganos.
The site suggests "Participate in the new Steganos logo program".
What good is steganography if you advertise how you are using it?
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Subject: Re: What the hell is XOR?
Date: Fri, 23 Jul 1999 13:31:21 -0700
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote in message
news:7n9sgh$d56$[EMAIL PROTECTED]...
> I wasn't going to comment on XOR but it is one of my favorite things
> and since this thread seems like it is long lived I decided to throw in
> my 2 cents worth.
> If one has a old copy of "EDN" I worte a circut up that won the design
> awards for that month. Not even sure the magizine is still in publication
> but the article generated much mail and shows my love of the XOR
> function.
Yes, Engineering Design News is still in publication. One of its regular
columnists is Bob Pease. Which issue are you referring to in specific??
Karl M
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
